| Application Path | Rails Version | Brakeman Version | Report Time | Checks Performed |
|---|---|---|---|---|
| /Users/cktricky/tmp/railsgoat | 3.2.11 | 2.6.1 |
2014-07-29 12:41:05 -0500 2.412842 seconds |
BasicAuth, ContentTag, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, EscapeFunction, Evaluation, Execute, FileAccess, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NumberToCurrency, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, ResponseSplitting, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, StripTags, SymbolDoS, TranslateBug, UnsafeReflection, ValidationRegex, WithoutProtection, YAMLParsing |
| Scanned/Reported | Total |
|---|---|
| Controllers | 17 |
| Models | 11 |
| Templates | 73 |
| Errors | 0 |
| Security Warnings | 27 (16) |
| Ignored Warnings | 0 |
| Warning Type | Total |
|---|---|
| Attribute Restriction | 1 |
| Command Injection | 1 |
| Cross Site Scripting | 5 |
| Cross-Site Request Forgery | 1 |
| Denial of Service | 2 |
| File Access | 1 |
| Format Validation | 1 |
| Mass Assignment | 5 |
| Remote Code Execution | 5 |
| SQL Injection | 3 |
| Session Setting | 2 |
| Confidence | Class | Method | Warning Type | Message |
|---|---|---|---|---|
| High | BenefitFormsController | download | File Access | |
| High | Api::V1::MobileController | show | Remote Code Execution | |
| High | Api::V1::MobileController | index | Remote Code Execution | |
| High | BenefitFormsController | download | Remote Code Execution | |
| High | Session Setting | |||
| High | Session Setting | |||
| High | UsersController | update | SQL Injection | |
| High | SQL Injection | Rails 3.2.11 contains a SQL injection vulnerability (CVE-2013-6417). Upgrade to 3.2.16 | ||
| Medium | Benefits | Benefits.make_backup | Command Injection | |
| Medium | Denial of Service | Rails 3.2.11 has a denial of service vulnerability in ActiveRecord: upgrade to 3.2.13 or patch | ||
| Medium | Remote Code Execution | |||
| Medium | Analytics | hits_by_ip | SQL Injection | |
| Medium | PasswordResetsController | reset_password | Remote Code Execution | |
| Medium | Cross Site Scripting | Rails 3.2.11 has a vulnerability in number helpers (CVE-2014-0081). Upgrade to Rails version 3.2.17 | ||
| Medium | Denial of Service | Rails 3.2.11 has a denial of service vulnerability (CVE-2013-6414). Upgrade to Rails version 3.2.16 |
Controller Warnings
| Confidence | Controller | Warning Type | Message |
|---|---|---|---|
| High | ApplicationController | Cross-Site Request Forgery | 'protect_from_forgery' should be called in ApplicationController |
Model Warnings
| Confidence | Model | Warning Type | Message |
|---|---|---|---|
| High | Benefits | Attribute Restriction | Mass assignment is not restricted using attr_accessible |
| High | User | Format Validation | |
| High | User | Mass Assignment | Potentially dangerous attribute available for mass assignment: :admin |
| Weak | KeyManagement | Mass Assignment | Potentially dangerous attribute available for mass assignment: :user_id |
| Weak | Message | Mass Assignment | Potentially dangerous attribute available for mass assignment: :creator_id |
| Weak | Message | Mass Assignment | Potentially dangerous attribute available for mass assignment: :receiver_id |
| Weak | User | Mass Assignment | Potentially dangerous attribute available for mass assignment: :user_id |
View Warnings
| Confidence | Template | Warning Type | Message |
|---|---|---|---|
| High | layouts/application (AdminController#dashboard) | Cross Site Scripting | |
| High | pay/index (PayController#index) | Cross Site Scripting | |
| High | pay/index (PayController#index) | Cross Site Scripting | |
| High | pay/index (PayController#index) | Cross Site Scripting |